Too Far Afield

Right now our DNS servers are used for a DNS root query amplification attack. The attack works like this: Mallory (the bad guy) is sending a lot of UDP queries for the root zone to a number of DNS servers. These queries are very short and don’t require a lot of bandwidth. In theory, the DNS server will respond with a very large response, because the response would contain the whole DNS root zone file. When sending the queries, Mallory will spoof the IP address of the source. He uses the IP of Alice (the good gal). The DNS server will send all the large root zone files back to Alice. Alice connection will be filled with root zone files from all over the world. This is a very nice attack vector, as it allows Mallory to send much more traffic to Alice then he can actually generate himself. Also, this does not really affect the DNS servers that are used by Mallory. If he does it the right way, it might even go unnoticed.

According to our DNS server log, these forged queries come in at a rate of about 20 Hz. Of course, our DNS server does not allow recursion from outside the trusted company network, so this is not really a problem either for us nor for Alice. Our DNS servers respond with a servfail. The log is full of these errors at the moment:

1. Not authoritative for '', sending servfail to 89.149.221.182 (recursion was desired)

It is important to note that the IP address displayed in the log (which is in the middle of a subnet of a German provider based in Frankfurt/Main) is not Mallory, the attacker. It is Alice, the target of the attack.

While not as bad as a full root zone response, a servfail is still data. If we send enough data down the line to Alice, their service will go down. Also, our own log files will be full of error messages and they will grow big. We don’t want any of this, so what else can we do beyond disabling recursion for the outside world? Of course we could stop responding to those kind of requests entirely, playing stealth DNS. Unfortunately, this makes DNS cache poisoning easier, so we don’t want to do this. Instead, we use fail2ban to block an IP address temporarily after 10 failed queries for the root zone in a relatively short time frame. The following regular expressions will be fine for PowerDNS:

1. not authoritative for(.*)servfail(.*)<HOST>
2. pdns\[.*\]: Not authoritative for '', sending servfail to <HOST>

If you are administering your own DNS server, check your log files for these kind of attacks and implement appropriate measures to prevent them.

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

This entry was posted on Friday, February 6th, 2009 at 00:34 UTC and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.